Managing client machine local admin rights manually is a tedious systems management task. In this tutorial, we will showcase how, with Goverlan Reach Process Automation framework, you can find out who is in the local administrator group on multiple Windows workstations, audit the local admins group for compliance and automatically remove the non-compliant admins as well.
If you have never automated a workflow with our Process Automation framework, you may watch the below video or read our Scope Action Creation Basics article for more information.
Process Automation Step 1 – Reporting on Non-compliant Local Admins
The action module should consist of the following Report Item:
Add \ Remove –> Report Computer Property –> Local Account Database –> Local Groups –> Members –> AD Account Name
TIP: Instead of choosing “Members”, try choosing “Members (Effective)” to recurse the groups and get more information on who exactly has local administrative rights. See this () for more information on Recursive Group reporting.
Process Automation Step 2 – Filtering out Known Accounts
You will need a filter to select the local admins group and filter out accounts that should be in group.
Use the “Only if the following is true” section to create the filter:
Add \ Remove –> Set Computer Condition –> Local Account Database –> Local Groups –> NT Account Name
The condition should be set to “=”
The Desired Value should be Administrators
Next, Filter out accounts and groups that should not appear in the report. These are accounts that should be present in the local admins group.
Add \ Remove –> Set Computer Condition –> Local Account Database –> Local Groups –> Members –> NT Account Name
The condition should be set to “NOT =”
The Desired Value should be “Administrator” or the name or your local admin account.
Add a new condition for each “Members –> NT Account Name” value that should not appear in the report.
Porcess Automation Step 3 – Removing Non-Compliant Admins
Create a new action module and add the following action.
Add \ Remove –> Execute Computer Action –> Local Account Database –> Local Groups –> Members –> Delete Object
Create the same filter in Step 3. Goverlan will remove all users or groups EXCEPT the ones specified in the list.
NOTE: YOU MUST NOW CREATE THE SAME FILTER IN STEP 3! NOT DOING THIS WILL TELL GOVERLAN TO REMOVE ALL MEMBERS!
Re-run the report from Step 2 to verify your results.